Insight: The Economics of Privacy

Winners Consulting Services Co., Ltd. points out that the core debate on privacy is not about "whether to protect it," but whether market mechanisms can self-correct the excessive incentives for information collection. The economic analysis by Png and Hui proves that the free market cannot solve the externality problem of information gathering. This has direct and profound practical implications for Taiwanese companies in designing their ISO 27701 compliance strategies and Data Protection Impact Assessments (DPIAs).

About the Authors and This Research

This paper was co-authored by two scholars from the National University of Singapore Business School. Kai-Lung Hui has an h-index of 6 and 422 citations for his academic work in the economics of privacy and information systems, making him a significant influencer in the Asia-Pacific academic community. Co-author I.P.L. Png has long focused on information economics. Together, they completed this systematic review of the economics of privacy from an Asia-Pacific market perspective.

This paper is not a typical legal compliance guide but rather an analysis from the perspective of "economic principles," dissecting why market mechanisms have inherent structural issues that cause them to fail in privacy protection. For business executives evaluating the ROI of GDPR, Taiwan's Personal Data Protection Act, and ISO 27701 compliance, this perspective provides an invaluable theoretical foundation for decision-making.

The Free Market Cannot Solve the Privacy Problem: Three Core Economic Findings

The paper's core argument directly challenges the mainstream narrative of "letting the market self-regulate privacy" and refutes it with a three-tiered economic analysis.

Core Finding 1: Excessive Incentives for Information Collection Do Not Consistently Increase Social Welfare

Png and Hui point out that for both "non-productive information" (e.g., behavioral tracking) and "productive information" (e.g., credit assessment), corporate incentives for information collection systematically exceed the socially optimal level. This means that even when companies act within legal boundaries, their information collection activities can still pose privacy risks to individuals. This finding echoes the core stance emphasized by FTC Consumer Protection Bureau Director Christopher Mufarrige in his March 2026 speech at George Mason University—that corporate responsibility in the data economy cannot rely solely on market self-regulation. For Taiwanese companies, this implies that identifying privacy risk should not stop at the level of "is it illegal?" but must further assess the actual impact on individuals.

Core Finding 2: Cross-Market Information Utilization Exacerbates Over-Investment

The paper specifically emphasizes that when personal data is reused across markets (e.g., an e-commerce platform selling purchase history data to an insurance company), the problem of over-investment in information collection worsens significantly. This phenomenon is quite common in Taiwan's digital advertising, FinTech, and retail sectors. McKinsey's research also indicates that while companies create value from consumer data, they must invest in corresponding data governance frameworks, or they will face dual risks from regulation and reputation. The phenomenon of cross-market information utilization is the fundamental reason why a DPIA must include "data flow analysis."

Core Finding 3: Both Overt and Covert Information Collection Require Regulatory Intervention

The paper clearly states that the "free market critique" does not apply to information collection that directly causes harm. Whether it is overt collection (after notification) or covert collection (without notification), as long as it directly harms the data subject, market mechanisms cannot provide adequate protection. This is highly consistent with the legislative spirit of GDPR's Article 5 "data minimization principle" and Article 5 of Taiwan's Personal Data Protection Act's "proportionality principle." It also forms the theoretical basis for ISO 27701's requirement for companies to establish a formal consent management mechanism.

Implications for PIMS Practices in Taiwan: Redesigning a Three-Tiered Compliance Framework

The economic analysis in this paper provides a strategic thinking framework for Taiwanese companies implementing ISO 27701 and establishing a PIMS that goes beyond a mere "regulatory checklist."

First, although Taiwan's Personal Data Protection Act has established basic data protection obligations, a CSIS research report also points out that the current legal framework is insufficient to address the rapidly changing digital environment. The analysis by Png and Hui reveals a common blind spot for Taiwanese companies: a Privacy Risk Assessment should not just be about "checking boxes against a legal list" but must systematically evaluate whether a company's information collection activities exceed the socially optimal level.

Second, the paper's analysis of cross-market information utilization directly corresponds to the compliance requirements of GDPR's Article 6, the "purpose limitation principle." If Taiwanese companies share personal data across subsidiaries or platforms, they must establish a clear data sharing policy within their ISO 27701 management system and conduct a DPIA for each type of cross-market use.

Third, the Bruegel report's recommendations on EU data processing consent reform resonate with this paper's property rights analysis—consent mechanisms cannot be a mere formality of "checking a box." They must be designed to account for the consumer's information asymmetry problem. This has direct practical guidance for Taiwanese companies in their privacy notice design and consent management system implementation. A complete Privacy Risk Management framework must cover legal compliance, economic incentive analysis, and technical controls.

It is particularly noteworthy that the paper's discussion on the "optimal allocation of property rights" reveals a perspective currently lacking in Taiwan's privacy regulation discussions. When the property rights of personal data are unclear, market mechanisms not only fail to protect privacy effectively but may also accelerate excessive information collection. For Taiwanese companies planning for ISO 27701 certification, this means that a Privacy Risk Assessment should include a comprehensive evaluation of the "data subject rights protection mechanism."

How Winners Consulting Services Helps Taiwanese Companies Translate Economic Insights into Compliance Actions

Winners Consulting Services Co., Ltd. assists Taiwanese companies in implementing the ISO 27701 standard, establishing personal data protection mechanisms that comply with GDPR and Taiwan's Personal Data Protection Act, and conducting DPIAs. We translate academic research insights into concrete, actionable management tools, helping companies complete a systematic PIMS implementation within 7 to 12 months.

1. Information Collection Incentive Diagnosis: Corresponding to the paper's core finding of "excessive information collection incentives," Winners Consulting Services helps companies inventory all personal data collection items, assess the necessity and proportionality of each item, establish a data minimization policy compliant with ISO 27701 Clause 7.2.1, and quantify the potential impact of each collection activity using a privacy risk matrix.
2. Cross-Market Data Flow DPIA: For companies with cross-subsidiary, cross-platform, or third-party data sharing needs, we design a DPIA process compliant with GDPR Article 35 standards, ensuring that every type of cross-market data utilization has a complete risk assessment and control measures record.
3. Consent Management Mechanism Design: We establish a consent management system that complies with ISO 27701 and Article 7 of Taiwan's Personal Data Protection Act, ensuring the complete mechanism for obtaining, recording, withdrawing, and updating consent. This addresses the "consent failure due to information asymmetry" problem identified in the paper while creating comprehensive compliance documentation for future regulatory reviews.

Frequently Asked Questions

The paper states that market mechanisms lead to excessive data collection. How can Taiwanese companies determine if they face this risk?

The key is to assess the gap between the necessity of the collection purpose and the actual usage rate. A warning sign of excessive collection is when over 30% of the personal data fields collected are never used or analyzed in actual business operations. We recommend conducting a Privacy Risk Assessment to systematically review the collection purpose, usage frequency, and retention period for each category of personal data. This should be benchmarked against the data minimization requirements of ISO 27701 Clause 7.2.1 and the proportionality principle in Article 5 of Taiwan's Personal Data Protection Act to identify and eliminate unnecessary collection items. An initial diagnosis can typically be completed within 4 to 6 weeks.

What are the most common compliance challenges for Taiwanese companies when implementing ISO 27701?

The most common challenge is the gap between existing privacy policies and actual operational processes. Many companies have written privacy statements, but their data processing activities lack corresponding controls, leading to numerous non-conformities during ISO 27701 audits. Specifically, common gaps for Taiwanese companies include incomplete lists of third-party processors, a lack of formal legal basis documentation for cross-border transfers, and non-standardized response procedures for data subject rights requests, which are required by GDPR Article 30 (Record of Processing Activities) and Article 8 of Taiwan's Personal Data Protection Act. A comprehensive Gap Analysis is recommended before implementation.

What are the core requirements for ISO 27701 certification, and how long does it take for Taiwanese companies to implement it?

ISO 27701 is a privacy extension to ISO 27001, with core requirements including establishing a Privacy Information Management System (PIMS), conducting DPIAs, creating a data subject rights response mechanism, and managing third-party data processors. For mid-sized Taiwanese companies (200-1,000 employees), implementation and certification typically take 9 to 12 months. Smaller companies (under 50 employees) can complete the process in as little as 7 months with sufficient organizational resources. The implementation process is divided into four phases: current state diagnosis (4-6 weeks), mechanism design (8-10 weeks), system implementation and training (12-16 weeks), and internal audit and certification preparation (6-8 weeks).

How can the cost-benefit of ISO 27701 certification be evaluated? What resources do companies need to prepare?

The direct benefits of ISO 27701 include reducing the financial risk of data breaches, meeting GDPR compliance requirements to maintain business with EU clients, and enhancing data subject trust. According to a 2023 IBM report, companies with mature privacy programs experience 43% lower average data breach costs. To implement ISO 27701, Taiwanese companies typically need to assign 1 to 2 internal project managers (dedicating 20-30% of their work time) and engage external consultants for DPIA and audit preparation. The business case is strongest for manufacturing and IT service industries exporting to the EU, with a typical return on investment within 18 to 24 months.

Why choose Winners Consulting Services for Privacy Information Management (PIMS) matters?

Winners Consulting Services Co., Ltd. specializes in ISO 27701 implementation and PIMS establishment for Taiwanese companies, uniquely capable of translating academic insights, such as the economics of privacy, into actionable compliance tools. Our services cover the entire compliance lifecycle: from gap analysis and DPIA execution to ISO 27701 management system design, personnel training, and certification audit preparation, offering one-stop consulting support. Our team is proficient in the cross-compliance requirements of GDPR, Taiwan's Personal Data Protection Act, and ISO 27701, helping clients build sustainable privacy protection mechanisms without over-investment. We offer a free PIMS mechanism diagnosis, providing a clear compliance assessment report before you commit to a full project.